Skip to content
FeaturesPricingAffiliateBlogHelpAboutContact
Get StartedSign In
Back to Blog
industry2026-05-236 min read

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers

Verifiers that never decode the JWT header are wide open to `alg=none` and alg-confusion attacks. When Supabase migrates to JWKS-based RS256, HS256-hardcoded code paths hand attackers a valid access token. Here's the three-layer defense Thmenu shipped in PR #521.

th

Thmenu Team

thmenu.com

Found this helpful? Share it.

X / TwitterLinkedIn